Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OPA review and incubation proposal #199

merged 1 commit into from Apr 2, 2019


Copy link

@tsandall tsandall commented Mar 1, 2019


After chatting with @caniszczyk, we felt it was time to propose OPA for the incubation level. There's a link to next week's TOC slides at the end which include additional content.

Signed-off-by: Torin Sandall

Signed-off-by: Torin Sandall <>
Copy link

caniszczyk commented Mar 2, 2019

RFC @cncf/toc

@caniszczyk caniszczyk added this to In progress (due diligence) in TOC Project Backlog Mar 4, 2019
Copy link

caniszczyk commented Mar 4, 2019

@brendandburns has volunteered to do the due diligence and support OPA

FYI @cncf/toc

Copy link

caniszczyk commented Mar 7, 2019

some due diligence via @brendandburns

Here's some verbatum feedback from one of my engineers who lead the azure policy controller and is helping lead gatekeeper (opa + admission control), I'll do my own look too, but I thought I'd pass this along.



At the heart of the OPA鈥檚 premise is to decouple the definition of policy from the enforcement of it providing ability to define fine-grained policy control at various levels of the stack. At the basics it is JSON document store with Rego as the query-able language. The design of it being a general open policy engine allows easily building platform specific policy controllers Gatekeeper to be successful.


The project is well structured and is maintainable, follows good design patterns. I had a chance to add the contribute and enhance the query method in OPA core project. It was easy to make changes i.e. straightforward to satisfy new requirements, and add new test cases in existing test infrastructure. The project has clear and good documentation. The code review process is thorough. The project has does good performance test and security analysis. The github issues are well documented for fresh developers to start making contributions.

Community Support

The support is awesome and growing (supported by folks at Styra). Questions get answered in a near real time. The Gatekeeper project would not have been successful without the help of the level of support (special mention Torin and Tim)


In my last several months of closely working and monitoring this project I see fast growing adoption and interest in the project. With the Gatekeeper project we see interest from all major clouds expecting this project to make it to large number of test and production environments. I am already see products and teams within organization like Microsoft e.g Office, AAD, IOT solving policy problems where OPA would be a natural fit.


There are always this that we are striving to improve, in that spirit arguably there is a learning curve associated with writing new policies in Rego, and sizable portion of questions on Slack channel are related to policy syntax and bugs . The project has done incredible work it making it debuggable and testable to tooling (e.g. vs code extensions). There is work going on via Gatekeeper project to build a constraint framework a higher level abstraction on top of Rego to make policies more reusable.

Copy link

lsitaraman commented Mar 13, 2019

OPA is like SQL for authorization. You have uniformity on how to externalize authZ from platform and how to implement platform /app specific authz rules. You don't need to come up with your own ways of implementing authz like K8 Web Hook and another way on different platform.

@caniszczyk caniszczyk moved this from In progress (due diligence) to TOC Approved (sponsors/voting) in TOC Project Backlog Mar 23, 2019
Copy link

leecalcote commented Mar 26, 2019

To @lsitaraman's analogy, in our use of OPA, we literally created postgres connector as a data source so that we could use OPA "as SQL". Not only did we use OPA as SQL, but used it not for its intended core focus of authorization use cases, but to @brendandburns's point, we used it as a general open policy controller to decouple the definition of policy from the enforcement of policy under the use cases (policies) of duplication and correlation. In stark contrast to alternatives like jBPM, Camunda, and Drools, its cloud native architecture proved to be the best starting point providing ability to define flexible policy control.

An area of ask (with respect to our use cases) is with respect to the ability to define policies and create a workflow of policy relationships:

Policy 1 eval -> on success -> Policy 2 eval -> on success -> Policy 3

When new data comes in, it will be applied the initial policy. So the next time it is taken for processing, the next policy in the flow will be applied. Auditing changes to workflows and policies and versioning for flows and policies are nice-to-haves here.

@caniszczyk caniszczyk merged commit f6ae866 into cncf:master Apr 2, 2019
@caniszczyk caniszczyk moved this from TOC Approved (sponsors/voting) to Done in TOC Project Backlog Apr 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
No open projects

Successfully merging this pull request may close these issues.

None yet

5 participants